Merge pull request #1025 from ArthurHoaro/hotfix/proxy-443

Force HTTPS if the original port is 443 behind a reverse proxy
author: ArthurHoaro <arthur@hoa.ro> 2017-12-03 12:46:43 +0100
committer: GitHub <noreply@github.com> 2017-12-03 12:46:43 +0100
commit: 101b935de4852308a238c04bf5a08d01a6ebe45c (patch)
tree: 37ac469f7b391531a10044abaa06864fe4ac24a8
parent: 877491b4ad0a6a9119e667901cef40cc56116901 (diff)
parent: 8e9fc6f6e6afc052a2c3b2d459764cc9ab20420a (diff)
download: Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.tar.gz
Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.tar.zst
Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.zip
2 files changed, 39 insertions, 0 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index ec54dcd4..c9371b55 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -302,6 +302,13 @@ function server_url($server)
                $port = $server['HTTP_X_FORWARDED_PORT'];
            }
+            // This is a workaround for proxies that don't forward the scheme properly.
+            // Connecting over port 443 has to be in HTTPS.
+            // See https://github.com/shaarli/Shaarli/issues/1022
+            if ($port == '443') {
+                $scheme = 'https';
+            }
            if (($scheme == 'http' && $port != '80')
                || ($scheme == 'https' && $port != '443')
            ) {
diff --git a/tests/HttpUtils/ServerUrlTest.php b/tests/HttpUtils/ServerUrlTest.php
index dac02b3e..324b827a 100644
--- a/tests/HttpUtils/ServerUrlTest.php
+++ b/tests/HttpUtils/ServerUrlTest.php
@@ -186,4 +186,36 @@ class ServerUrlTest extends PHPUnit_Framework_TestCase
            )
        );
    }
+    /**
+     * Misconfigured server (see #1022): Proxy HTTP but 443
+     */
+    public function testHttpWithPort433()
+    {
+        $this->assertEquals(
+            'https://host.tld',
+            server_url(
+                array(
+                    'HTTPS' => 'Off',
+                    'SERVER_NAME' => 'host.tld',
+                    'SERVER_PORT' => '80',
+                    'HTTP_X_FORWARDED_PROTO' => 'http',
+                    'HTTP_X_FORWARDED_PORT' => '443'
+                )
+            )
+        );
+        $this->assertEquals(
+            'https://host.tld',
+            server_url(
+                array(
+                    'HTTPS' => 'Off',
+                    'SERVER_NAME' => 'host.tld',
+                    'SERVER_PORT' => '80',
+                    'HTTP_X_FORWARDED_PROTO' => 'https, http',
+                    'HTTP_X_FORWARDED_PORT' => '443, 80'
+                )
+            )
+        );
+    }
 }
author	ArthurHoaro <arthur@hoa.ro>	2017-12-03 12:46:43 +0100
committer	GitHub <noreply@github.com>	2017-12-03 12:46:43 +0100
commit	101b935de4852308a238c04bf5a08d01a6ebe45c (patch)
tree	37ac469f7b391531a10044abaa06864fe4ac24a8
parent	877491b4ad0a6a9119e667901cef40cc56116901 (diff)
parent	8e9fc6f6e6afc052a2c3b2d459764cc9ab20420a (diff)
download	Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.tar.gz Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.tar.zst Shaarli-101b935de4852308a238c04bf5a08d01a6ebe45c.zip

diff --git a/application/HttpUtils.php b/application/HttpUtils.php index ec54dcd4..c9371b55 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -302,6 +302,13 @@ function server_url($server)
302	$port = $server['HTTP_X_FORWARDED_PORT'];	302	$port = $server['HTTP_X_FORWARDED_PORT'];
303	}	303	}
304		304
		305	// This is a workaround for proxies that don't forward the scheme properly.
		306	// Connecting over port 443 has to be in HTTPS.
		307	// See https://github.com/shaarli/Shaarli/issues/1022
		308	if ($port == '443') {
		309	$scheme = 'https';
		310	}
		311
305	if (($scheme == 'http' && $port != '80')	312	if (($scheme == 'http' && $port != '80')
306	\|\| ($scheme == 'https' && $port != '443')	313	\|\| ($scheme == 'https' && $port != '443')
307	) {	314	) {


diff --git a/tests/HttpUtils/ServerUrlTest.php b/tests/HttpUtils/ServerUrlTest.php index dac02b3e..324b827a 100644 --- a/tests/HttpUtils/ServerUrlTest.php +++ b/tests/HttpUtils/ServerUrlTest.php
@@ -186,4 +186,36 @@ class ServerUrlTest extends PHPUnit_Framework_TestCase
186	)	186	)
187	);	187	);
188	}	188	}
		189
		190	/**
		191	* Misconfigured server (see #1022): Proxy HTTP but 443
		192	*/
		193	public function testHttpWithPort433()
		194	{
		195	$this->assertEquals(
		196	'https://host.tld',
		197	server_url(
		198	array(
		199	'HTTPS' => 'Off',
		200	'SERVER_NAME' => 'host.tld',
		201	'SERVER_PORT' => '80',
		202	'HTTP_X_FORWARDED_PROTO' => 'http',
		203	'HTTP_X_FORWARDED_PORT' => '443'
		204	)
		205	)
		206	);
		207
		208	$this->assertEquals(
		209	'https://host.tld',
		210	server_url(
		211	array(
		212	'HTTPS' => 'Off',
		213	'SERVER_NAME' => 'host.tld',
		214	'SERVER_PORT' => '80',
		215	'HTTP_X_FORWARDED_PROTO' => 'https, http',
		216	'HTTP_X_FORWARDED_PORT' => '443, 80'
		217	)
		218	)
		219	);
		220	}
189	}	221	}